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[57] ABSTRACT 

The present invention discloses a network interface device 
for connecting a client computer system to an external 
network. The network interface device is configured for the 
client system by automated procedures and protocols initi- 
ated from a remote server. Software programs within the 
network interface device provide transparent communica- 
tion between the client computer system and services avail- 
able on the external network. Similar software programs and 
a configuration database within the network interface device 
provide transparent communication between the client com- 
puter system and the remote server. 
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SYSTEM AND METHOD OF CONFIGURING device must be performed by the computer user or LAN 

A REMOTELY MANAGED SECURE manager himself, and often requires extensive knowledge of 

NETWORK INTERFACE network protocols, internet services, and LAN requirements. 

Initial configuration also often involves the entry of complex 

CROSS REFERENCES TO RELATED 5 configuration parameters and options in a database or stor- 

APPL1 CATIONS age device by the LAN manager. Similarly, an upgrade or 

„, , 4 . . , A , 4 - n reconfiguration of the network interface device requires the 

The present application is related to the following j AKT . 4 . j ■ r *• j 

- . TT „ „. it to user or LAN manager to obtain the upgrade information and 

co-pending U.S. Patent applications: f *u j c~ f- *• u- ir 

r to rr perform the upgrade or reconfiguration operation himseli. 

U.S. Patent application entitled, "Initializing and Recon- 10 Because no internet services or data communication systems 

figuring a Secure Network Interface", having application currently provides a comprehensive and reliable means of 

Ser. No. 08/892,301, and filed on Jul. 14, 1999; automatically configuring or updating a network interface 

U.S. Patent application entitled, "Upgrading a Secure connection to an internet, internet access remains a signifi- 

Network Interface", having application Ser. No. 08/897,214, cant challenge to those who lack the requisite expertise or 

and filed on Jul. 14, 1999; 15 resources to undertake the task. 

which are assigned to the assignee of the present inven- It is therefore desirable to provide a system for connecting 

tion. a computer or client network to the internet with minimal 

user interaction. It is further desirable to provide a system 

FIELD OF THE INVENTION f or automatically upgrading or reconfiguring a network 

The present invention relates generally to the field of 20 interface connection between a computer or client network 

computer networks, and more particularly to a method of m ^ an internet. 

configuring and upgrading a network interface device. SUMMARY OF THE INVENTION 

BACKGROUND OF THE INVENTION The present invention discloses a method and apparatus 

rr* j . 4 . . « . . . 4 , f 25 for initializing, configuring, and upgrading a network inter- 

The Internet _is rapidly becoming an important source of f&ce between B a ^ J t „ "^f ^ „ extemal 

information and electronic communication for users of com- ne twork 

puters in homes and businesses. A major problem associated * . 
with the Internet, however, is the difficulty faced by typical According to one aspect of the present invention, a 
computer users in connecting their computers or local area 30 network mterface device 15 P r0Vlded t0 connect a chent 
networkstothelnternetAcomputeruserdesiringtoconnect computer network to an external network. The network 
to the Internet must make many critical decisions, such as interface device is provided to the client user in an initially 
which communication medium to use, which Internet Ser- configured state. The network interface device is config- 
vice Provider to subscribe to, how to secure their network ured for the chent f s y stem bv automated procedures and 
interface, and which network services to utilize. Business 35 P rotocols vitiated from a remote server. The remote server 
managers in charge of local or wide area networks must also provides and maintains the client information in a secure 
address questions related to the type and configuration of database ' ™ e use of a daUlbase aod automated 
computer networks which are to be connected to the procedures minimizes the amount of input required from the 
Internet, and other such external networks (referred to as user - ^ Detwork interface device contains application 
'internets'). Unlike installing a new telephone system, ^ program mterfaces which facilitate communication between 
installing an external network connection requires an under- ^ client computer system and services available on the 
standing of many different, and often confusing, coramuni- external network - **** network mterface device also va- 
cation protocols, network services, connection media, and tains a configuration database which stores data and param- 
computer network practices. eters related to me configuration of the network interface 
n 4 . . , . . . device. Through the use of the configuration database and 
Connecting a computer network to an internet requires a 45 j . v .• * ♦ _r *u 

. j j * • i- iL the resident application program mterfaces, the remote 

service account and a data communication fine to access the . " y . " yi^oui *ui*navw>, »^ ^mm* 

, ! . t . . . A , . , server is able to automatically upgrade or reconfigure the 

various networks that make up the internet. A dedicated . . . . - , . / 6 . t & 

a kt 1 rtTJAKn <• * • * . * network interface device without user intervention. 

Wide Area Network (WAN) connection to an internet is ... 

typically provided by a commercial Internet Service Pro- 0thcr fcaturcs of me P rescnt invention will be apparent 

vider (ISP). The ISP acts as the intermediary between the so flic accompanying drawings and from the detailed 

user and the network backbone servers which provide access description which follows. 

to the various networks within the internet. Several different BRIEF DESCRIPTION OF THE DRAWINGS 
data communication lines are available to connect a com- 
puter or LAN to the internet. Common data communication ™ e P resent invention is illustrated by way of example, 
lines include analog modems (14.4 Kbaud-56 Kbaud), 55 and not by way of limitation, in the figures of the accom- 
ISDN (Integrated Services Digital Network), Tl lines, Frac- drawings and in which like reference numerals 
tional Tl lines, and several others. mdicate sitnilar ^ments and in which: 

Obtaining an internet connection typically requires the FIG - 1 ^tntes a prior art interface between a client 

user to order an internet account and address block from an network and an internet. 

ISP, install the appropriate phone lines for the data commu- 60 FIG - 2 illustrates the interface between a client network 

nication medium (e.g., ISDN line, analog phone line), install and an internet according to one embodiment of the present 

the appropriate network interface device between the data invention. 

communication port and the computer which will serve as FIG. 3 is a block diagram illustration of hardware com- 

the network gateway computer, and configure the network ponents of the Gateway Interface Device according to one 

interface device for operation with the user's LAN and in 65 aspect of the present invention. 

accordance with the network services provided by the ISP. FIG. 4 illustrates the basic components of the Gateway 

Thus, the initial configuration of the network interface Interface system software. 
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FIG. 5 is a functional block diagram of the runtime access is required. LAN 110 interfaces to outside networks 

component of the system software. through a network interface device 108 connected to gate- 

FIG. 6 is a flowchart illustrating the process of controlling wa y computer 112. In other network environments, LAN 

a service using the runtime component illustrated in FIG. 5. U0 may interface directly with network interface 108 with- 

- • rL . i L i , mi • i 5 out passing through a gateway computer 112. In typical 

FIG. 7 is a functional block diagram illustrating the home or office rituationa> network interface m can be a 

software components of the Gateway Interface system. modem> m ISDN (integrated Services Digital Network) 

FIG. 8 illustrates a registration key to encode user regis- interface box, or the like, and can be an interface card within 

tration information according to one embodiment of the gateway computer 112, or a standalone device which is kept 

present invention. separate from LAN 110 and gateway computer 112, such as 

FIGS. 9A and 9B are a flow diagram illustrating the in a separate phone closet or other isolated environment, 

procedure of initializing a Gateway Interface Device accord- Network interface 108 provides the connection to an 

ing to one aspect of the present invention. internet over communication line 116. Current internet ser- 

FIGS. 10 is a flow diagram illustrating the procedure of vicc for clicnt networks is typically provided by a commer- 

upgrading a Gateway Interface Device according to one 15 dal Intcmel Service Provider, such as ISP 104. ISP 104 

aspect of the present invention. provides the necessary routers and gateway devices for 

FIG. 11 is a flow diagram illustrating the procedure of to int frnet from a client network, and pro- 
upgrading a Gateway Interface Device that is part of a Y 1 ** ™ 10US P ratoco1 and P^ ct swltch * Q S functions. Tlius, 
virtual private network according to one aspect of the ^ in f ht f l 120 connects to an internet via 
present invention. 20 communication line 116 through an ISP. 

T7xr^ n * a j- n » *• *u j * In P r i° r art network connection environments such as that 

FIG. 12 is a flow diagram , illus^aUng the procedure of * 

reconfiguring a Gateway Interface Device according to one ,7, 4 : ' T\ auuyiy yiuviu» ^* UU1 ^ 

, c * * • 4- and logical interface between client network 120 and the 

aspect of the present invention, .tu v * . • j * • * n A j 

„ . _ .„ , , . . . internet. The client user is required to install, configure, and 

FIG 13 is a flow diagram illustrating the determination of maimain ^ network mterface 10g ^ ^ mterface tQ me 

network addresses by a client computer according to one telephone company i 06 . This requires that the LAN man- 

aspect of the present invention. ager for the client network m have knowledge of the client 

FIG. 14 is a block diagram illustrating an example of a LAN environment, as well as required protocol and interface 

hierarchy of key certificates for the security framework information and various configuration parameters. As the 

according to one embodiment of the present invention. 3Q types of network connectivity and the number of services 

ncTA 1T rrr* nccrnTmrnxT available through the Internet increase, the task of installing, 

configuring, and maintaining a network interlace to the 

A system for initializing, configuring, and upgrading a Internet, and other such external networks, becomes more 

network interface device coupling a client Local Area Net- complicated. This increase in network interface complexity 

work (LAN) to a Wide Area Network (WAN) is described. 35 results in an increased possibility of improper network 

In the following description, for purposes of explanation, access which may cause unreliable service or insecure 

numerous specific details are set forth in order to provide a network connections. Thus, a distinct disadvantage associ- 

thorough understanding of the present invention. It will be ated with prior art network access scenarios is that the LAN 

apparent, however, to one skilled in the art that the present manager for a client network must personally configure and 

invention may be practiced without these specific details. In 40 maintain increasingly complex parameters related to both 

other instances, well-known structures and devices are the LAN network protocols and the various network ser- 

shown in block diagram form in order to avoid unnecessarily vices. 

obscuring the present invention. ] n one embodiment of the present invention, the various 

In one embodiment, the steps of the present invention are physical network interface devices, security functions, and 

embodied in machine -executable instructions. The instruc- 4s service interfaces are replaced by a single integrated net- 

tions can be used to cause a general-purpose or special- work interface device, hereinafter referred to as a 'gateway 

purpose processor which is programmed with the instruc- interface device'. This integrated gateway interface device 

tions to perform the steps of the present invention. provides a single point of connectivity for various different 

Alternatively, the steps of the present invention might be types of data communication lines, such as Ethernet and 

performed by specific hardware components that contain 50 ISDN, and contains a configuration database for the storage 

hardwired logic for performing the steps, or by any combi- of parameters associated with the operation of the network 

nation of programmed computer components and custom interface. The gateway interface device also contains appli- 

hardware components. cation program interfaces (API's) for transparent commu- 

Present methods of interfacing a client LAN to an external nication between the client LAN and various internet ser- 

network involve installing special data communication lines 55 vices. The gateway interface device further provides 

and network interface devices, and configuring these devices connectivity to a remote server process which provides 

at the client site. FIG. 1 illustrates a typical prior art remote initialization, configuration, and upgrades of the 

connection between a client network and an external net- gateway interface device without necessitating extensive 

work. Client network 120 includes a local area network user interaction. 

(LAN) U0 containing several network client computers 114. 60 FIG. 2 illustrates an improved internet network access of 

LAN 110 also contains a gateway computer 112 which the present invention utilizing the gateway interface device, 

connects LAN U0 to an external network, such as an Like the client network 120 of FIG. 1, client network 220 

internet. LAN 110 may be a network consisting of a number typically consists of a LAN environment 210 in which 

of computers connected in an Ethernet network, a token ring several personal or mini-computers are connected through 

network, an FDDI network, or any similar type of network 65 network lines or hubs in a network arrangement. In the 

arrangement. LAN 110 could also consist simply of one present invention, the simple network interface 108, of FIG. 

computer, such as computer 112, for which external network 1, which is typically a passive device configurable only from 
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client network 120 through gateway computer 112, is and 312 can be any type of memory device which provides 
replaced by a gateway interface device 208. Gateway inter- persistent storage of large amounts of data such as hard disk 
face device 208 provides the physical and logical connection drives, tape drives, or memory cards. In one embodiment of 
between LAN 210 and an external network, such as an the present invention, mass storage devices 310 and 312 are 
internet. Data communication ports provided by gateway 5 removable devices which can be moved from gateway 
interface device 208 may include interfaces for analog interface device 208 to another similar gateway interface 
modems, Ethernet, ISDN, Tl connections, and the like. device, or removed for replacement by other like mass 
Gateway interface device 208, also provides an interface to storage dev i ces ^th either updated or different data or 
the remote servers and services provided in the present programs. Mass storage devices 310 and 312 may be 
invention. This second means of access allows a secondary 10 ^stalled and configured in a mirrored arrangement, such 
service provider to remotely configure, upgrade, and main- ^ identica i data is written simultaneously to both drives, 
tain diagnostics related to the network interface. It also -p^ aU 0WS a redundant backup functionality such that if 
facilitates the downloading of configuration parameters, a one mass storage device fails, the other mass storage device 
task which was traditionally left to the client LAN manager. can be automatically and quickly substituted since it con- 
Gateway interface device 208 also provides an efficient 15 tains mc data contained in the first mass storage 
means to implement network security such as firewall device. Gateway interface device 208 also contains non- 
functions, as well as other router and server functions. volatile memory in the form of flash memory 304. Flash 
Hie remote server 206 represents central facility for memory 304 stores critical system parameters and may be 
providing convenient and efficient configuration and main- upgraded remotely from a remote server such as remote 
tenance of the gateway interface device. In one embodiment 2 n management server 206. 

of the present invention, the remote server 206 (hereinafter Also coupled to bus 302 is an expansion interface 320. 
referred to as the "remote management server") is connected Expansion interface 320 provides physical and logical lines 
to ISP 204 and maintains a dynamic dialog with ISP 204 to wa ich a u 0 w for the installation of industry standard expan- 
configure and maintain gateway interface device 208 in s i 0Q car d s to expand the functionality of the gateway inter- 
client network 220. Remote management server 206 inter- 25 face device 208. Such expansion functions could include 
acts with gateway interface device 208 to provide configu- additional memory capacity or an alternate network inter- 
ration information and upgrade parameters required by the f ace means. Gateway interface device 208 interfaces to 
gateway interface device 208. In this manner, remote man- external networks through a network interface port 314. In 
agement server 206 basically serves as a repository for one embodiment of the present invention, network interface 
information required by the gateway interface device 208. 30 314 includes four separate network interface connections 
Such information may include configuration information and standards. Network interface 314 provides access to 
related to LAN 210, internet address blocks, internet domain modem port 326, WAN interface 324, and Ethernet port 322, 
names, and data related to the physical and logical interfaces m one embodiment of the present invention, two Ethernet 
between the client network 220 and ISP 204. por ts are provided by network interface 314. 

Gateway interface device 208 contains a configuration 35 Panel interface 318 provides the main physical interface 

manager which stores the configuration information trans- between the user and gateway interface device 208. In one 

mitted from the remote management server 206. Gateway embodiment of the present invention, panel interface 318 is 

interface device 208 also contains service adapters which coupled to a front panel display and control system 330, 

communicate with network services resident in the gateway Display and control system 330 contains two LEDs (light 

interface device 208. The service managers are application 40 emitting diodes) 334 and 336, as well as push button switch 

programming interfaces that provide the required command 332. Push button switch 332 serves as an on/off switch as 

and data translation for the various services available. well as a high-level reset switch. If the gateway interface 

Remote management server 206 and gateway interface device is powered up and switch 332 is pressed for less than 

device 208 contain security information such as passwords five seconds on, it executes a diagnostic process. If the 

and encryption keys that are used to establish a trust relation 45 gateway device is powered up and switch 332 is pressed for 

sufficient to ensure secure remote configuration and upgrade more than five seconds, it restarts the gateway interface 

of gateway interface device 208. By providing a configura- device. Thus switch 332 allows a user to activate certain 

tion management function within remote management diagnostic routines and it provides a reset function in case of 

server 206 which is registered with an ISP 204, it is possible a hardware failure of the gateway interface device 208. 

to download configuration and upgrade information and 50 LEDs 334 and 336 provide an indication of particular 

parameters to gateway interface device 208 at the time the operational functions of the gateway interface device 208. 

gateway interface is first installed between the client net- Functions that are monitored by LEDs 334 and 336 may 

work 220 and the telephone client 204. This eliminates the include the condition of the client LAN 210, the condition 

requirement that the network administrator program the of the physical or logical connections between the client 

network interface device with such configuration and ini- 55 LAN 210 and the telephone company switch box, as well as 

tialization information. This system thus greatly reduces the the internal operation of the gateway interface device 208. 

amount of work required to connect client network 220 to an The uncomplicated front panel display and control system 

internet. 330 promotes the ease of use pursued by the present inven- 

Gateway Interface Device Hardware tion. The single push-button switch 332 provides a straight- 

FTG. 3 is a block diagram illustrating representative 60 forward means of interaction with the gateway interface 

hardware components within gateway interface device 208 device, and dual LEDs provide a simple notification to the 

of FIG. 2. Gateway interface device 208 includes central user in the event of a failure related to the primary virtual 

processing unit 316 coupled through a bus 302 to random user interface. 

access memory (RAM) 306, read-only memory (ROM) 308 System power to the gateway interface device 208 is 

and mass storage device 310. In one embodiment of the 65 supplied through power supply 340. Power supply 340 

present invention, two mass storage devices 310 and 312 are provides the varying voltage levels such (e.g., 12 VDC, 5 

used to provide redundant storage. Mass storage devices 310 VDC, and 3.3 VDC) that may be required by the different 
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devices within the gateway interface device 208. Connected 
to power supply 340 is an uninterruptable power supply 
(UPS) battery 344. In one embodiment of the present 
invention, UPS battery 344 is a small compact unit which 
provides a charge sufficient only to keep gateway interface 
device 208 powered up for a smooth shutdown in the event 
of a hardware or network problem. A smooth shutdown 
procedure allows time to write critical data to the disks, and 
power down each of the devices within gateway interface 
device 208 in a non-destructive manner. Power supply 340 
may be configured such that in the event of a hardware or 
network failure, software controlling operation of the gate- 
way interface device 208 is executed to turn the machine off. 
In a similar manner, an on/off or reset switch, such as switch 
332, may be similarly configured to request software to turn 
power down the gateway interface device. In one embodi- 
ment of the present invention, the user interface to the 
gateway interface device 208 is limited to front panel 
interface 318 and the front panel control and indication 
block 330. Gateway interface device 208 may be packaged 
in any number of standard package formats. In one embodi- 
ment of the present invention, the gateway interface device 
is packaged in a 19-inch form factor box. This facilitates the 
installation of the gateway interface device in a standard 
rack mount such as those commonly used in telephone 
switching closets, thus allowing the gateway interface 
device to be mounted in such a closet or other hidden 
location for unattended operation. 
System Software 

FIG. 4 is a block diagram illustrating the components 
within the system software contained in and executed by 
gateway interface device 208. The gateway interface device 
system software 400 consists of three main portions. These 
are the BIOS (basic input/output system) section 402, kernel 
404, and run-time section 406, The three components com- 
prising the system software 400 may be stored and executed 
from read-only memory 308, RAM 306 or any combination 
of RAM, ROM, and disk within the gateway interface 
device 208. 

BIOS section 402 contains the program code necessary to 
interface with the hardware within gateway interface device 
208, these are typically low-level device drivers. BIOS 402 
also contains diagnostic and monitor code as well as a BIOS 
extension for factoring in new code. Kernel 404 comprises 
the second layer of system software and contains high-level 
drivers for the hardware devices within gateway interface 
device 208, as well as drivers for system services that are 
required to operate the gateway interface device 208. Kernel 
404 also contains task schedulers and an interrupt controller. 

The third layer of system software 400 is the run-time 
section 406. Runtime section 406 contains the management 
daemons and services required for system control. In one 
embodiment of the present invention, run-time section 406 
is implemented as a console-less version of a standard 
operating system. The implementation of a console-less 
operating system runtime allows the system software to 
operate without user intervention, thus facilitating the 
remote access capabilities of the present invention. This 
system also provides an interface to existing network ser- 
vices which are wrapped in a management layer to allow 
them to be plugged in or interfaced to the system without 
requiring user intervention or configuration. Such services 
that may interface with the system software include web 
service, electronic mail service, and other similar computer 
programs and application programs. 
Runtime Layer 

FIG. 5 illustrates the functional relationships among the 
various components of the software associated with the 
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runtime layer 406 of system software 400. The runtime layer 
406 contains management programs for controlling the 
gateway interface device and provides the program interface 
between a user interface 502 operating on a computer 

5 coupled to client LAN 210, and network services available 
on an external network. FIG. 5 illustrates the runtime layer 
406 as a functional program layer between the user interface 
502 and network services 512. One example of a network 
service which could be represented by network service 512 

10 is the popular Internet Web service, HTTP (hypertext trans- 
port protocol). The HTTP service contains a daemon 
process, HTTPD, which contains text configuration files 
which control access to, and operation of the web service. 
The HTTP service allows certain user actions such as editing 

15 of text files or changing a process. It should be understood 
that a number of different services or types of services may 
be controlled by runtime layer 406, and that service 512 
illustrates only one such service. 
Runtime layer 406 contains a configuration manager 506 

20 which is an API operating through a remote procedure call 
(RPC) protocol to communicate commands between the user 
interface 502 and network services 512. Configuration man- 
ager 506 is connected to data store 508 which serves as a 
database for configuration and system data. Configuration 

25 manager 506 communicates to services 512 through services 
managers 510. One service manager is provided within 
runtime 406 for each service available to user interface 502. 
The service managers provide a consistent interface to the 
various network services. The service managers essentially 

30 'wrap' a software management layer around network ser- 
vices to adapt the service for the gateway interface device. 
Each service manager allows a user, through a user interface, 
to perform certain service functions, such as bring down the 
service, reconfigure the service, and bring the service back 

35 up. 

In one embodiment of the present invention, the configu- 
ration manager is a server process that dynamically loads 
within its own address space service managers which are 
implemented as dynamic libraries. The service managers 

40 510 implement a particular API so that there is a consistent 
interface with service managers from the user interface 502. 
The configuration manager 506 provides an external API 
which facilitates communication with other programs on the 
gateway interface device 208, such as user interface 502. All 

45 of the network services provided by the gateway interface 
device 208 are represented by data structures in data store 
508 which interface to the services 512 through the con- 
figuration manager 506. Through the implementation of the 
configuration manager and service managers as API's, a 

50 consistent communication interface to network services is 
provided. Thus, turning on a particular service simply 
requires accessing configuration manager 506 and setting a 
value in a particular data location. For example, to enable 
web publishing, the user could select an enabling option 

55 button in the user interface 502. User interface 502 then sets 
the appropriate parameter in the data store 508 to "on". This, 
in turn, enables the gateway interface device policy for web 
publishing. As parameters in the data store are changed in 
this manner, the service managers are notified of these 

60 changes in order to maintain currency with available ser- 
vices. Each of the services maintains service configuration 
files 516 which store configuration information related to the 
services. 

FIG. 6 is a flow chart which illustrates a typical process 
65 associated with using or manipulating a service through user 
interface 502. In step 604 the user requests the start of a 
transaction involving a network service. A typical tr ansae- 
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tion may involve one or more service requests. The user then to the configuration manager 506 in order to perform moni- 

makes a service request through user interface 502 in step toring and reconfiguration. Remote management server 504 

606. The request could be any one of a number of service stores configuration information provided by the user which 

operations, such as a request to bring the service up or down, is related to the user's local area network environment, 

reconfigure the service, or any other such operation. The 5 service requirements, domain names, and so on. The remote 

request is input from the user interface 502 to configuration management server also provides a mechanism whereby 

manager 506. In step 608, the configuration manager 506 new services may be added to the system and corresponding 

propagates the request to each service manager which is new service managers may be added to the runtime layer. A 

available within the runtime layer 406. If necessary, the service request which is initiated by the remote management 

service manager 510 performs any translation or adaptation 10 server would propagate through the runtime layer in a 

of the request to a corresponding command recognized by manner similar to a user interface initiated request, as 

the service. The service manager 510 also checks the request illustrated in FIG. 6. 

and evaluates the proposed change in the data store 508. FIG. 7 is an expanded and more detailed illustration of the 

Service managers are thus given the opportunity to veto software components which comprise the gateway interface 

requests or changes to the data store 508 that may potentially 15 device system software. In one embodiment of the present 

crash the system. invention, configuration manager 506 is a server process 

The service managers are provided a two level check. One with an RPC interface layer 705. Configuration manager 506 

level is a simple syntax check in which a service manager dynamically loads service manager libraries upon startup, 

checks the syntax of the request or parameter. If the request The service manager libraries that are to be loaded arc 

contains an improper parameter, the service manager may 20 provided in configuration file 709 which stores certain 

reject the parameter but accept the request. In step 610, the parameters and files for writing to configuration manager 

service manager performs a syntax check. If, in step 612, it 506 upon startup. In an alternate embodiment of the present 

is determined that the syntax of the request is not acceptable, invention, the service managers are implemented in archi- 

the configuration manager notifies the user and ignores the lecture independent program modules (e.g., Java classes), 

parameter which did not correspond to the correct syntax, 25 which are loaded on demand by a configuration manager. In 

step 614. The process then proceeds again from step 606 in the alternate embodiment of the present invention, the 

which the user is given another opportunity to enter a configuration manager itself may also be implemented in an 

syntactically correct service request. If it is determined, in architecture independent program module, 

step 612, that the syntax of the service request is proper, the Several different service managers may be available. A 

configuration manager adds the request to the transaction, 30 minimal set of service managers for a typical internet access 

step 616. scenario may include a domain name service (DNS) 

In step 618, the configuration manager checks whether manager, HTTP manager, electronic mail manager, IP 
there are further requests to be included in the transaction. manager, ISDN manager, and system manager, among oth- 
If further requests are to be processed, the process proceeds ers. The implementation of service managers allows the use 
from step 606 and the user inputs a further service request 35 of unmodified services. The service managers provide a 
through the user interface. If, in step 618, no further requests consistent interface and minimize the necessary changes to 
are determined to be included, the user requests the trans- a service to integrate the service in the system, 
action to be committed, step 620. The configuration manager In one embodiment of the present invention a user man- 
then propagates the commit request to each applicable ager is also provided. Users are represented as entries in the 
service manager, step 622. 40 data store, as opposed to being represented in a password 

The second level check provided to service managers file, as in other standard network operating systems. Also 

involves a veto of the request as a whole. Such a veto may provided is a network configuration service manager to 

occur if the required changes to the data store invoked by the manage the initial configuration process and tasks such as 

request may cause a system failure. If the change is not entering a registration key and other initial configuration 

allowed by the service manager, step 624, changes are not 45 operations. 

written to data store 508, and the transaction is aborted, step Logically connected to the configuration manager 506 is 

626. In this case an error message may be sent to the user data store 508. Data store 508 primarily stores parameters 

interface 502 to alert the user of the failure of the transaction. related to the services. In one embodiment of the present 

If however, in step 624, it is determined that the change is invention, the data store resides in RAM, and a persistent 

allowed by the service manager, the values are written to 50 form is also stored on secondary memory, such as a hard 

data store 508 and the transaction is committed, step 628. disk. Changes to the data store are written to log file 710. 

The result of the operation may then be propagated back to Log file 710 maintains a list of completed transactions to 

user interface 502 through the service manager and configu- disk, and allows a mechanism whereby the configuration 

ration manager 506. manager can roll back to a known good state in the event of 

The service managers 510 may also be configured to 55 a system crash, 

periodically check the state of their respective services 512. As described in relation to FIG. 5, configuration manager 

The service manager polls the service daemon to check 506 communicates to various network services through 

whether the service is still running. If the service daemon is service managers API's which provide a common interface 

not up, the service manager can attempt to bring it up or environment for the user interface 502. In FIG. 1, several 

move into a failed state if it cannot bring up the service. This 60 services 512, and their corresponding service managers 510 

failed state is observed by a diagnostic process managed by are illustrated. The various services 512 provided by the 

diagnostic managers 514, and reflected in the user interface. external network report errors and diagnostic information 

The frequency of the polling operation may be set in the through a socket level protocol to a system logging facility 

configuration manager at the time a service manager is 716. System logging facility 716 serves as a general reposi- 

loaded into the system. 6S tory for diagnostic messages; it also distributes these mes- 

Remote server 504 contains the remote management sages to specific files or functions based upon information 

server process. The remote management server can connect inside the messages. According to one embodiment of the 
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present invention, the system logging facility is configured a combination of system logging facility 716, diagnostic 

to send messages in a protocol format which is designed to agents 718 that communicate with system logging facility 

review the diagnostic messages and automatically transmit 716, reporting manager 720, and asynchronous notification 

the message to appropriate functions (agents). These agents 726. 

then cause the system to take corrective action without user 5 Remote System Management 

intervention, or alternatively notify the user that a problem The combination of a security framework, configuration 
or diagnostic condition exists. manager API, service managers and diagnostic reporting 
A set of diagnostic agents 718 are logically coupled to capabilities within the runtime layer 406 of system software 
system logging facility 716. In one embodiment of the 400 creates a generic framework for interfacing with various 
present invention, each diagnostic agent is programmed to 10 network services through a single user interface. It also 
respond to particular problems or error message formats, allows remote management of the gateway interface device, 
thus increasing the efficiency with which errors or diagnostic and provides an efficient mechanism for initially 
conditions may be handled in relation to particular services, configuring, upgrading, or reconfiguring the gateway inter- 
As system logging facility 716 receives messages through face device. 

network sockets from the different services 714, system 15 Discussion is now provided for three proprietary proto- 

logging facility 716 routes particular messages to specified cols which control communication between the remote 

destinations as the messages demand. The messages are also management server remote server process and the gateway 

transmitted unformatted to appropriate diagnostic agents interface device. These protocols involve operation of the 

718. The diagnostic agents examine the messages as they are configuration manager 506 and cover the initialization, 

received and continuously determine whether or not the 20 upgrade, arid reconfiguration of the gateway interface device 

system is performing properly. within the client network LAN environment. 

System logging facility 716 writes its operations to a Initialization 
diagnostic log file 717 through a diagnostic logging agent. The initialization protocol utilized by the gateway inter- 
This agent collects all of the messages into diagnostic log face device provides a method by which the gateway inter- 
file 717. The diagnostic log file is used in the case where the 25 face device and the gateway computer of the client LAN are 
system has failed in a manner that cannot be readily rem- configured for internet access from a remote server with 
edied. In this case technical support personnel can read the minimal user interaction. In one embodiment of the present 
raw log data from diagnostic log file 717 to determine the invention, the remote server (remote management server) 
problem. Thus, the log file provides an audit trail for communicates with the gateway interface device through the 
technicians to use. If a diagnostic agent encounters a mes- 30 external network medium, but is viewed as a virtual device 
sage indicating an error or other exceptional occurrence in terms of configuration and remote management from the 
which requires reporting to the user interface 702, a message point of view of the client network. The initialization 
is sent to reporting manager 720. Reporting manager 720 is protocol is used when the client network orders internet 
a repository for reports that are generated by the diagnostic access from an Internet Service Provider and receives the 
agents. The reporting manager 720 provides a query capa- 35 gateway interface device. 

bility for the reports that it stores and allows an ability to In one embodiment of the present invention, it is assumed 

delete or time-out the reports, among other such functions. that there is a TCP/IP (Transmission Control Protocol/ 

A report consists of a message code, any related arguments Internet Protocol) based network client on the client LAN 

to that message, and time -stamping and expiration informa- which has physical connectivity over the LAN to the gate- 

tion. The message code and related arguments are used by 40 way interface device. It is further assumed that the gateway 

the user interface to localize the report. The report also computer is a node within a TCP/IP network. FIGS. 9A and 

contains a mechanism for resolving the report, for instance, 9B provide a flow diagram of the process of a client network 

a uniform resource locator (URL) may be included. The user installing and configuring a gateway interface device using 

interface requests report information from the reporting the initialization protocol provided by the system software, 

manager and locally presents these reports to the user. 45 Referring to FIG. 9 A, the initialization process begins in 

Reporting manager 720 maintains an active report data- step 902 when the customer calls an ISP to obtain an internet 
base 721 which serves as a persistent store for reports that account. In one embodiment of the present invention, the 
are active. If necessary, user interface 502 can extract reports ISP is appropriately registered to provide the gateway inter- 
directly from reporting manager 720. In addition to active face device and accompanying services. The ISP obtains 
report database 721, reporting manager 720 sends the mes- 50 customer requirements such as the client LAN environment, 
sage to an asynchronous notification server 726. Asynchro- network services which the customer requires, the desired 
nous notification server 726 communicates the existence of data communication medium, and the network interface 
a problem to the user through a display message on user connections that the customer requires. The ISP then allo- 
interface 502. In one embodiment of the present invention, cates IP address blocks, assigns internet domain names and 
asynchronous notification server 726 displays a dialog box 55 decides where to provide the physical network connections, 
on the display screen of the client computer to which the step 904. For example, if the customer desires an ISDN 
gateway interface device is connected, and alerts the user of connection to the internet, the ISP would decide where to 
a problem on the gateway. Part of the message may be an hook up the ISDN line, and orders the ISDN service for the 
icon that enables a web browser which accesses the URL customer. The ISP provides the remote management server 
contained within the error message. The system monitor is 60 with the configuration information for the user. According to 
also configured to periodically ping the gateway interface one embodiment of the present invention, this is achieved 
device to monitor proper operation. If the gateway interface through a web-based user interface. A customer registration 
device does not respond, the system monitor may cause the web site provides a customer registration form which is used 
display of a message alerting the user that the gateway is not by the ISP. The ISP enters customer network addresses, 
responding with instructions on how to proceed. 65 domain names and network connection information in the 

Thus, the process of performing operation monitoring, registration form, step 906. This customer registration infor- 

error diagnosis, and error reporting is accomplished through mation is then stored in the remote management server after 
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having been entered into the customer registration form, step 
908. The remote management server acts as a storage facility 
for this customer information. After the customer registra- 
tion information is stored, the remote management server 
generates a customer registration key and sends the regis- 5 
tration key to the ISP, step 910. The registration key serves 
as the principal identification and security mechanism for 
initial installation of the gateway interface device in the 
client LAN. 

FIG. 8 illustrates the contents and format of the registra- 10 
tion key. In one embodiment of the present invention, the 
registration key is 80 bits long and contains three fields. The 
first field, 802, is the remote management server key which 
is 12 bits long and uniquely identifies the remote manage- 
ment server which generated the registration key. The sec- 15 
ond field, 804, is the gateway registration key field which is 
56 bits long and uniquely identifies the gateway interface 
device to the remote management server. The third field, 
806, is a cyclic redundancy check (CRQ field which is 12 
bits long and provides a CRC on two other fields to allow 20 
self checking. The gateway registration key 800 is repre- 
sented as an ASCII sequence. The registration key serves to 
identify the gateway interface device to the remote manage- 
ment server and it also serves to identify the appropriate 
remote management server to the gateway interface device. 25 
The gateway registration key 804 field within registration 
key 800 provides an identification for the remote manage- 
ment server which generated the registration key and it also 
provides the means by which the gateway interface device 
can contact the remote management server for configuration 30 
and initialization information once the network connection 
is established. Once the registration key has been issued by 
the remote management server and used by the gateway 
interface device to which it has been assigned, it is marked 
by the remote management server as a used key. Through 35 
this mechanism, a registration key may only be used once. 
This prevents a subsequent unauthorized use of the regis- 
tration key by a second user or a user of a cloned gateway 
interface device. 

Once the registration key has been provided to the ISP, the 40 
ISP passes that key along to the customer, step 912. In 
typical situations this is done either over the phone or by fax. 
In step 912 the ISP also orders a gateway interface device for 
the customer as well as a data communication interface line, 
e.g., ISDN or Tl line, for the customer. The customer then 45 
receives and installs the gateway interface device and 
software, step 914. Once the gateway interface device has 
been physically connected between the client network gate- 
way computer and the phone switch, the first task of the 
initialization protocol is to locate the gateway on the client 50 
network. The problem in this situation is that a device on a 
network requires an address in order to communicate on the 
network. However, when a gateway interface device is 
initially installed and booted up, the addresses of network 
devices are unknown. One embodiment of the present 55 
includes a gateway installation protocol which provides a 
means for determining device addresses and establishing 
initial communications between devices on the client LAN. 
A detailed discussion of the gateway installation protocol 
(GIP) is provided below, and illustrated by the flow chart of 60 
FIG. 13. 

Once the client computer and gateway interface device 
have located the gateway (through the GIP protocol, or other 
such method), the client accesses the web page embedded 
provided in the gateway interface device, step 918. The web 65 
page is provided by an administrative web service which is 
built into the gateway interface device. The user then enters 



the registration key which was provided to him by the ISP 
in the appropriate field in the web page, step 920. Once the 
user has typed in the registration key, the gateway interface 
device decodes the registration key in order to obtain the 
remote management server ID which is contained in the 
second field of the registration key. It then initiates a phone 
call to the remote management server over the network line, 
step 922. The gateway interface device then establishes a 
PPP (Point-to-Point) connection to the remote management 
server through a proprietary authentication scheme, step 
924, using the registration key and the gateway interface 
device serial number. The registration key is unique to the 
customer and the serial number is unique to the gateway 
interface device. Thus, the authentication scheme serves to 
identify the gateway interface device and the customer to the 
remote management server. The remote management server 
authenticates the information against information in its 
customer database by associating the serial number of the 
gateway interface device with the login key, step 926. In the 
first step of this process, the remote management server 
determines whether the registration key has been marked as 
used. If the registration key has not been marked as used, the 
remote management server registers the registration key as 
a valid customer registration. The remote management 
server then checks the serial number to determine whether 
the serial number is a validly issued gateway interface 
device serial number. If so, the serial number and the 
registration key are stored in the remote management server 
database to identify the client network. 

The gateway interface device then initiates a remote 
procedure call (RPC) communication session with the gate- 
way interface device and provides an encryption key. This 
RPC communication is established by the gateway interface 
device to request configuration information from the remote 
management server As part of this communication session, 
the remote management server provides a configuration file 
to the gateway interface device, step 928. In one 
implementation, the configuration file may be in the form of 
a script which is executed locally in the gateway interface 
device, step 932. This step configures the gateway interface 
device by loading specific parameter values in the appro- 
priate locations of the data store. The gateway interface 
device writes configuration values into the configuration 
manager, step 934. Upon completion of the configuration 
process, the gateway interface device transmits a message to 
the remote management server verifying successful 
configuration, step 936. To conclude the initialization 
process, the remote management server confirms the gate- 
way interface device verification and marks the registration 
key as used, step 938. This step prevents unauthorized re-use 
of the registration key. 

The use of a remote server to provide initial configuration 
parameters over a network prevents the need for the client to 
determine the parameters and input these manually into the 
gateway interface device himself. Thus, the initialization 
process serves three basic functions. First, it supplies the 
configuration information to the client network; second, it 
associates the gateway interface device and the client net- 
work to the remote management server; and third, it pro- 
vides the remote management server with credentials for 
providing secure communication in later communication 
sessions. 

Upgrade Procedure 

The second protocol for communication between the 
remote management server and the gateway interface device 
involves the software upgrade process. In one embodiment 
of the present invention, the upgrade process involves a full 
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upgrade of the system software residing in the gateway retrieving the upgrade package, the gateway interface device 

interface device as opposed to a partial upgrade of the executes the pre-install script to verify the possibility and 

system software. The full upgrade thus involves an upgrade appropriateness of the upgrade, step 1018. The pre-install 

of 100% of the bits comprising the gateway interface device script determines whether it is physically possible to 

software. For example, such an upgrade could be necessary 5 upgrade the software within the gateway interface device, 

if an entirely new revision of network interface software is The gateway interface device can reject an upgrade on the 

made available to client networks. The upgrade process thus basis of factors such as insufficient memory to perform the 

ensures that the latest version or a common version of upgrade, or an attempted upgrade to a software version 

system software is running on all networks supported by a which is already present on the gateway interface device, 

remote management server. 10 The pre-install script ensures that an upgrade operation 

In one embodiment of the present invention, the upgrade either completely fails or completely succeeds so that a 

process consists of transmitting an upgrade package and gateway interface device or a client network is either fully 

three scripts which implement the upgrade procedure. These upgraded, or left in the original state with regard to the 

scripts include a pre-install script, an install script, and a version of the gateway software. 

post-install script. For security purposes, the upgrade pack- 15 If the gateway interface device verifies that an upgrade is 

age is cryptograpbically authenticated and encrypted. both possible and appropriate, the gateway interface device 

The first step of the upgrade process involves making the executes the install script to apply the upgrade at the time 

upgrade package available on selected remote server sites specified by the apply time window, step 1020. The time 

which are capable of transmitting files using the TCP/IP file specified by the applied time window may also be deter- 

transfer protocol (FTP). These FTP sites provide the upgrade 20 mined or modified by user preference. This allows the user 

package for download to client networks which request the to specify an upgrade during times when the gateway 

upgrade. The upgrade package is registered on the remote interface device is not subject to heavy network traffic, or is 

management server as an available upgrade and the upgrade already subject to normal maintenance, 

package is registered with the selected FTP sites, step 1002. Once the gateway interface device has executed the 

Hie remote management server sends a notification mes- 25 upgrade, it performs a reboot so that it boots up in the 
sage to gateway interface device within client networks upgraded state. At step 1022, the gateway interface device 
which are to be upgraded, step 1006. The notification checks whether the upgrade was successful. If the upgrade 
message is a secure message which the remote management fails, the gateway interface device rolls back to its pre- 
server sends only to gateway interface devices which have upgrade state, step 1024, and notifies the remote manage- 
been predetermined to be qualified for an upgrade. The 30 ment server of an upgrade problem, step 1026. At this point 
notification message includes four parameters which have the upgrade process ends. This diagnostic process for failed 
been associated with the upgrade package, step 1004. The upgrade ensures that a gateway interface device is either 
first is a fetch time window which specifies the date or time completely and successfully upgraded or not upgraded at all. 
range during which the upgrade package will be made In the case of a failed upgrade, the gateway interface device 
available on the FTP servers; the second is an apply time 35 operates with the previous version of the gateway interface 
window which specifies the time at which the upgrade is to software. 

be applied within the gateway interface devices; the third If, however, in step 1022 the gateway interface device 

parameter is address of the FTP site where the upgrade is determines that the upgrade and reboot were successful, the 

available. The final parameter in the notification message is gateway interface device then executes the post-install script 

a decryption key to decrypt the software comprising the 40 and notifies the remote management server of the upgraded 

upgrade package. The notification message itself is status, step 1030. The remote management server stores this 

encrypted through a cryptographically secure communica- upgraded status as part of the configuration information 

tions protocol (e.g., public/private key encryption). related to that particular gateway interface device. The 

The gateway interface device receives the notification post-install script contains commands for resolving refer- 

message sent by the remote management server and first 45 ences within the upgraded software, as well as recording the 

checks whether the gateway interface device is part of a upgraded version number in appropriate places for the 

virtual private network (VPN), step 1008. If in step 1008 it configuration manager, 

is determined that the gateway interface device is part of a VPN Upgrade 

VPN, the gateway interface device rejects the upgrade If, in step 1008 of FIG. 10, it was determined that the 

notification, step 1010. At this point the gateway interface 50 gateway interface device is part of a VPN, the upgrade 

device must execute a separate upgrade protocol referred to operation proceeds according to the VPN upgrade protocol 

as the VPN upgrade protocol, step 1012. This process is illustrated in FIG. 11. A separate VPN upgrade protocol is 

illustrated in FIG. 11. required because a VPN presents a unique situation in which 

If, however, it is determined, in step 1008, that the it is not desirable for only one member of a VPN to be 
gateway interface device is not part of a VPN, the gateway 55 upgraded when other members of the VPN are not upgraded, 
interface device records the notification message, step 1014. since this would cause different nodes of the same network 
In recording the notification message, the gateway interface to be running different versions of the system software, 
device records the information specifying to when to get the In step 1102 of FIG. 11, the remote management server 
upgrade package, where to get the upgrade package from, sends a notification message to the headquarters branch of 
how to decrypt the package, and when to execute the 60 the VPN. The headquarters branch of a VPN is essentially 
upgrade operation. At this point the gateway interface device the top level of the VPN. If a non-headquarters branch of a 
is left to its own to perform the upgrade operation, the VPN receives an upgrade notification from the remote 
remote management server is no longer involved in the management server, it will reject the notification. A non- 
normal upgrade procedure. headquarters branch will only accept an upgrade notification 

During the time period specified by the fetch time 65 from the headquarters branch. The headquarters branch 

window, the gateway interface device retrieves the upgrade records the notification message and notifies the other VPN 

package from the specified FTP site, step 1016. Upon nodes of the upgrade, step 1104. In order to successfully 
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upgrade a VPN, all nodes of the VPN must accept the FIG. 12 is a flow chart which illustrates the reconfigura- 
upgrade. In step 1106, it is determined whether all nodes of tion process. The reconfiguration process starts with the 
the VPN accept the upgrade. If one or more nodes of the remote management server sending reconfiguration notifi- 
VPN notifies or returns a negative response to the upgrade, cation messages to eligible target gateway interface devices, 
the headquarters branch notifies the remote management 5 ste P 1202 - In one embodiment of the present invention, the 
server that the VPN will not upgrade, in step 1108, and the reconfiguration package simply consists of data store opera- 
VPN upgrade process ends with no upgrade being per- ^ons for new parameters as well as an apply tame window, 
formed. If, however, in step 1106 it is determined that the U P on receiving the reconfiguration notification message the 
nodes of the VPN will accept the upgrade, the headquarters gateway interface device verifies the reconfiguration 
, ... , v , V K '.. .£ , request. If the reconfiguration request is not acceptable, the 
branch retrieves the upgrade package from the specified FTP 10 * ^ Bom * ^ remote m £, nt 

site at the time specified by the fetch time window, step ^ Jf however> ^ reconfiguration request is valid, the 

1110. The headquarters branch then propagates the upgrade interface device records the notification message, 

package to each VPN node, step 1112. Each VPN node stcp u04 In stcp 120 6, the gateway interface device writes 

within the VPN executes the install script to apply the the new parameters specked in the reconfiguration message 

upgrade at the time specified by the apply time window. As 15 to fog data store at the time specified by the apply time 

in the non-VPN upgrade case, the apply time may be window. In step 1208 the gateway interface device verifies 

modified by user preference, step 1114. Each VPN node then that the reconfiguration was successful. If the reconfigura- 

notifies the headquarters branch of its upgraded status, step tion is not successful, the gateway interface device notifies 

1116. the remote management server of a reconfiguration problem, 

Because upgrades of the nodes within a VPN must be 20 step 1210, and then automatically rolls back to the state prior 

comprehensive, the headquarters branch checks to verify to the reconfiguration request, step 1212. If, however, in step 

whether all VPN nodes performed an upgrade, step 1118. If 1208 it was determined that the reconfiguration was 

one or more VPN nodes fail to upgrade successfully, the successful, the gateway interface device notifies the remote 

nodes of the VPN will fail into a diagnostic state, step 1120. management server of its reconfigured status, step 1214. 

The headquarters branch will then notify the remote man- 25 Security Framework 

agement server of a VPN upgrade failure, step 1122. At that The trust relationship established between the gateway 
point, the nodes of the VPN will reject the upgrade and interface device and the remote management server is imple- 
revert to usage of the previous version of the gateway mented through a comprehensive security framework pro- 
interface software. If, however, in step 1118 it is determined vided by authentication and encryption mechanisms. Except 
that all VPN nodes performed the upgrade procedure 30 for the initial configuration process, which is performed over 
successfully, the headquarters branch notifies the remote a direct phone line, all communications between the gate- 
management server of the VPN upgrade and the remote way and the remote management server are protected by the 
management server records the upgrade information in its Secure Sockets Layer (SSL) protocol. SSL supports the 
configuration database, step 1124. The process of VPN upgrade, reconfiguration, and diagnostic protocols. The 
upgrade protocol then ends with each node of the VPN 35 gateway interface device uses a public key cryptographic 
performing the post-install script to record the new version algorithm signed Hardware Certificate which adheres to ITU 
numbers and new configuration databases. X.509 version 3 (1996) ASN.l encoding conventions, while 
Reconfiguration the remote management server uses a public key crypto- 
The reconfiguration protocol between the remote man- graphic algorithm signed Head-End Certificate, This enables 
agement server and the gateway interface device is used 40 both one-way and mutual authentication. Authentication and 
when the gateway interface device is to be reconfigured in security are necessary to facilitate reliable gateway interface 
some manner. Unlike an upgrade which is the substitution of device identification, remote management server 
all of the software components within the gateway interface identification, data communication encryption, and software 
device, reconfiguration involves only an upgrade or changes security for programs and data downloaded to a gateway 
to parameters in the data store of the gateway interface 45 interface device. 

device. The reconfiguration package made available to a The system software within the gateway interface device 

gateway interface device includes only an apply time win- supports a variety of public key certificates incorporating 

dow. No fetch time window or encryption key is required. different cryptographic algorithms for reasons of enhanced 

The reconfiguration information is contained within a security and internationalization, 
reconfiguration notification message which notifies the gate- 50 A Certification Authority issues the certificates which are 
way interface device of the availability of reconfiguration stored within a gateway interface device. A three level key 
parameters. The reconfiguration notification basically com- hierarchy is used for trust separation. Each certificate con- 
prises operations instructing the addition or deletion of tains a issuer distinguished name, a subject distinguished 
parameter entries within the data store. Therefore, the recon- name, a validity interval, a serial number, and a pubUc key. 
figuration notification essentially consists of data store 55 FIG. 14 is a block diagram which illustrates one example 
operations. A typical reconfiguration operation focuses on a of a hierarchy of key certificates according to one embodi- 
particular group or subset of gateway devices. That is, ment of the present invention. The first level of the hierarchy 
particular gateways may need to have their systems recon- 1402 is the root key certificate level. The gateway interface 
figured. The reconfiguration protocol provides an easy and device stores two root RSA public key certificates and two 
efficient means of automatically providing reconfiguration 60 root DSA public key certificates, with the corresponding 
information to the gateway interface devices of the custom- private keys. These four certificates are stored in a persistent 
ers. This prevents the need to have Internet Service Provid- store, such as the read only memory (EEPROM) 308 within 
ers contact each customer and instruct those customers to the gateway interface device. The first key of a pair is the 
change their gateway interface devices in a particular way. primary key, and the second key of a pair is available as a 
Id this manner, the customer network gateway interface 65 backup. 

devices are reconfigured with minimal interaction by either The root RSA public keys 1410 have corresponding 

the ISP or the user. private keys that are used only for occasional signing of next 
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level Public Key Certificates issued by the Certification authority certificates for secure communications regarding 

Authority, and are otherwise maintained in an off-line secure engineering and licensing activities concerning the gateway 

environment only accessible by authorized entities. The root interface device. 

certificates are self -signed and effectively never expire. They Except for the root certificates, most certificates are only 

are trusted by virtue of being present in a persistent store 5 valid for a fixed period of time and automatically expire after 

such as EEPROM. this period (e.g., two years). If, however, a certificate needs 

The root DSA Public Key Certificates 1420 contain to be invalidated prior to its expiration date (for example, in 

discrete log DSA public key values and signatures instead of the case of a key compromise), the present invention 

RSA values. As with the top level RSA keys, top level DSA includes a method for certificate revocation. Most certifi- 

keys are only used for signing next level DSA Public Key 10 cates are maintained in the data store of a gateway interface 

Certificates issued by the Certification Authority, and are device. A method for revocation utilizes the reconfiguration 

afforded similar protection as in the RSA case. The distin- and update mechanism using Certificate Revocation Lists. A 

guished name and other fields unrelated to keying contain Certificate Revocation List is a time-valued list of serial 

the same information as in the RSA case. numbers signed by a Certification Authority. 

The second level of the hierarchy 1404 are certification 15 Gateway Installation Protocol 

keys for Certification Authorities (CA) dedicated to the The gateway installation protocol (GIP) is a minimal User 

gateway interface device and the remote management Datagram Protocol (UDP) based protocol designed to solve 

server. the problem of bootstrapping the gateway setup process. The 

The second level of certificate key hierarchy for the user interface for the gateway interface device is delivered 

hardware aspect of the gateway interface device is a manu- 20 to the network client through TCP/IP (which requires an IP 

facturing Certificate Authority, referred to as the RSA Hard- address), however when the gateway interface device is 

ware CA 1412. This Certificate Authority has an RSA key initially delivered it is not configured for TCP/IP (it does not 

pair, and its certificate is signed with the root RSA key. The have an IP address assigned to it). The gateway installation 

RSA Hardware CA Public Key Certificate 1412 bears the protocol is designed to bootstrap the gateway interface 

root CA issuer name (primary or secondary) and a subject 25 device into existence on the client network in a safe manner, 

name. Each gateway interface device is provided with a GIP allows the network client to discover the address 

unique RSA key pair generated during production. The assigned to the gateway interface device and then properly 

system ROM 308 for each gateway interface device contains configure the gateway interface device with its network 

a Public Key Certificate signed using an RSA Hardware CA address. 

key 1412, along with the corresponding private key. The 30 When the gateway interface device is in an uninitialized 

serial number of the gateway interface device is provided in state it initiates a periodic GIP broadcast of an advertisement 

the certificate as part of the identity. message indicating its IP address, a URL for access to an 

This certificate is referred to as the RSA Hardware administration web server and whether an address provision 

Certificate 1416, which, for the gateway interface device, server (e.g., a DHCP server, DHCP is a network service 

represents the third level in the certificate key hierarchy. An 35 which provides device addresses upon request) was found 

RSA Hardware Certificate bears the issuer name of the on the network. In turn, the gateway interface device expects 

particular manufacturing Certification Authority that signed a GIP message from a client computer on the client LAN. 

it, and a subject distinguished name. The data store within This message can be either a broadcast query message trying 

the gateway interface device maintains a current RSA Hard- to locate a gateway or a directed acknowledgment message 

ware Certificate. The RSA Hardware Certificate 1416 is used 40 indicating that the gateway has been identified by the client 

in SSL communications where the identity of the gateway computer. When a query message is received by the gateway 

interface device needs to be proven, for example when interface device, it sends back a directed (non-broadcast) 

opening a session to a remote management server. It is also advertisement message containing the same information as 

used for SSL-secured access to the administrative web in the broadcast advertisement. When the gateway interface 

server. 45 device receives an acknowledgment, it stops issuing its 

The second level of certificate key hierarchy for the broadcast advertisement. The acknowledgment should carry 

remote management server implementation is a remote an indication of whether the client used a fixed IP address or 

management Certificate Authority, referred to as the RSA a DHCP provided address. The client computer is configured 

Head-End CA 1414. This Certificate Authority has an RSA use a DHCP address if it did not have a predefined IP 

key pair, and its certificate is signed with the root RSA key. 50 address. The client computer listens for any GIP advertise- 

Each remote management server receives an RSA key pair ment and may try to initiate GIP query messages if possible 

along with a public key Certificate signed by the RSA in order to reduce wait time. After receiving a GIP adver- 

Head-End CA. This certificate is known as an RSA Head- tisement message from the gateway interface device, it sends 

End Certificate 1418, which, for the remote management a directed acknowledgment message back to the gateway 

server, represents the third level in the certificate key hier- 55 interface device and uses the indicated URL to contact the 

archy. The RSA Head-End Certificate 1418 is used in SSL administration web server. 

communications where the identity of the remote manage- In normal operation, the GIP protocol is also used for new 

ment server needs to be proven, for example when providing clients to identify the gateway interface device. Client 

upgrade or reconfiguration software packages to a gateway computers issue a broadcast query message and expect an 

interface device. Remote management servers may specify 60 advertisement back. This advertisement carries the URL to 

their own authentication and access policies. be used for administering a new client. Thus, using the GIP, 

Like the RSA system, the DSA system also includes the server listens for a broadcast over the LAN. This 

second and third level key certificates for the gateway operation does not require an address. The server listens for 

interface device. DSA Hardware CA 1422 represents the broadcast from the GIP client which is running on the client 

second level key certificate, and DSA Hardware Certificate 65 computer. The GIP client is basically broadcasting whether 

1424 represents the third level key certificate. In addition, there are any gateways on the LAN. The GIP, in this 

the DSA system includes engineering and licensing signed situation, has first checked to see whether there are any 
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services on the network which provide automatically IP 
addresses, such as DHCP. At this point, a temporary address 
is assigned to the gateway interface device. 

FIG. 13 is a flow chart which illustrates the process of 
determining a gateway address using the Gateway Installa- 5 
lion Protocol. In steps 1302 and 1304, the gateway interface 
device and gateway computer are configured to communi- 
cated GIP messages over the client LAN. The gateway 
interface device is referred to as the GIP server, and the 
gateway computer is referred to as the GIP client for 10 
purposes of GIP communications. 

The gateway interface device first queries the LAN to 
determine whether an automatic IP address service (e.g., 
DHCP) is available, step 1306. If in step 1308 it is deter- 
mined that an IP address service is not available, the gateway 15 
interface device will assign a temporary IP address to the 
gateway. If it is determined in step 1308 that an IP address 
service is available, however, the gateway interface device 
will assign the IP address provided by the service to the 
gateway, step 1310. In an alternative embodiment of the 20 
present invention, the user will be advised to disable any 
such address provision service, so that a temporarily 
assigned IP address will always be used upon initial con- 
figuration. 

Once a gateway address (temporary or assigned) has been 25 
associated with the gateway, the gateway interface device 
transmits a GIP broadcast advertisement message over the 
client LAN, step 1314. The GIP broadcast advertisement 
message contains the gateway address, as well as a URL for 
the administrative web service. In the meantime, the client 30 
may transmit a broadcast query or acknowledgment 
message, step 1316. The query message is a message from 
a client computer indicating that the client computer is 
trying to locate the gateway. When a query message is 
received by the gateway interface device, it sends back a 35 
directed (non-broadcast) advertisement message containing 
the same information as in the broadcast advertisement. In 
response to a directed or non-directed GIP advertisement 
message, the gateway computer transmits a GIP acknowl- 
edgment message. The acknowledgment message indicates 40 
that the gateway has been identified by the client computer. 
Upon receipt of an acknowledgment, the gateway interface 
device stops issuing the broadcast advertisement. Once the 
gateway has been identified by the client computer, it 
accesses the administrative web service URL contained in 45 
the advertisement message, step 1318. 

Thus, a method and apparatus have been described for 
allowing the remote initialization, configuration and upgrade 
of a network interface device. Although the present inven- 
tion has been described with reference to specific exemplary 50 
embodiments, it will be evident that various modifications 
and changes may be made to these embodiments without 
departing from the broader spirit and scope of the invention 
as set forth in the claims. Accordingly, the specification and 
drawings are to be regarded in an illustrative rather than a 55 
restrictive sense. 

What is claimed is: 

1. A method of securely providing a service to a client 
computer coupled to a first network, said method comprising 
the steps of: 60 
providing said service in a network interface device 
coupled between said first network and a second net- 
work; 

providing a service request from said client computer to 
said network interface device, said service request 65 
capable of altering said service in said network inter- 
face device; 
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transmitting said service request to a configuration 
manager, said configuration manager configured to 
provide an application program interface between a 
user interface on said client computer and said service; 
and 

transmitting said service request from said configuration 
manager to a service manager, said service manager 
being configured to provide an application program 
interface between said configuration manager and said 
service. 

2. The method of claim 1 further comprising the steps of: 
receiving one or more diagnostic messages from said 

service in a diagnostic log process; 

transmitting said one or more diagnostic messages to one 
or more diagnostic agents, each diagnostic agent being 
configured to automatically receive a predetermined 
type of message from said diagnostic log process; 

transmitting one or more reporting messages from said 
one or more diagnostic log agents to a reporting 
process, said reporting process being configured to 
receive reporting messages from said one or more 
diagnostic agents; and 

transmitting commands from said reporting process to a 
user interface on said client computer based on said 
reporting messages. 

3. The method of claim 1 wherein said service request is 
input to said user interface on said client computer. 

4. The method of claim 1 wherein said service request is 
generated by a process on a remote management server, said 
remote management server coupled to said network inter- 
face device through said second network. 

5. The method of claim 1 wherein said service request is 
generated by a process on a remote management server, said 
remote management server coupled to said network inter- 
face device through an alternate communication network. 

6. The method of claim 1 wherein said service manager is 
further configured to perform a syntax check on said service 
request, said syntax check comprising a first level test and a 
second level test, wherein 

said first level test comprises a test of a parameter 
included in said service request and a failure of said 
first level test results in a rejection of said parameter; 
and 

said second level test comprises a test of the entire service 
request and a failure of said second level test results in 
a rejection of said service request. 

7. The method of claim 4 further comprising the step of 
establishing a trust relationship between said first network 
and said second network, said trust relationship imple- 
mented through cryptographic encoding of communications 
between said first network and said second network through 
said network interface device. 

8. In a network interface device, a method of providing 
one or more services to a client computer on a first network, 
the method comprising the steps of: 

providing a configuration manager server process, said 
configuration manager providing an application pro- 
gram interface between said client computer and said 
one or more services allowing for alteration of said one 
or more services; 

providing a database for storing configuration and status 
information related to said one or more services 
accessed by said client computer; and 

providing one or more service manager dynamic library 
processes, each service manager corresponding to one 
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of said one or more services, each service manager 
providing an application program interface to a corre- 
sponding service and adapting commands and data 
transfers between said corresponding service and said 
configuration manager. 5 

9. The method of claim 8 further comprising the steps of: 
providing a diagnostic log process which is configured to 

receive diagnostic and error messages from said one or 
more services; 

providing one or more diagnostic agents, each of which 10 
are configured to automatically receive a predeter- 
mined type of diagnostic message from said diagnostic 
log process; and 

providing a reporting process which is configured to 15 
receive reporting messages from said one or more 
diagnostic agents and send commands to a user inter- 
face on said client computer based on said reporting 
messages. 

10. The method of claim 8 wherein said configuration ^ 
manager is configured to accept a service request from either 
said user interface on said client computer or a remote 
process on a remote management server coupled to said 
network interface device through a second network. 

11. The method of claim 8 wherein said service request ^ 
includes one or more program instructions which initially 
configure said network interface device for operation on said 
first network in accordance with system software of a first 
revision level. 

12. The method of claim 8 wherein said service request 3Q 
includes one or more program instructions which upgrade 
said network interface device for operation on said first 
network in accordance with system software of a second 
revision level. 

13. The method of claim 8 wherein said service request 3S 
comprises a reconfiguration notification, said reconfigura- 
tion notification including one or more data words to be 
stored in said database. 

14. The method of claim 8 wherein said service managers 
are implemented in architecture independent program ^ 
modules, said service managers capable of being loaded on 
demand by said configuration manager, and wherein said 
configuration manager is also implemented in an architec- 
ture independent program module. 

15. A system for interfacing a first network to a second 45 
network, wherein said system provides one or more network 
services, said system comprising: 

means for receiving a network service request directed to 
one of said one or more network services; 

means for managing configuration information and adapt- 50 
ing said request to a format recognized by said system 
allowing for alteration of said one or more network 
services; 

means for storing data related to configuration of said 
system; and 55 

means for adapting said request to a format recognized by 
said network service to which said network request is 
directed. 

16. The system of claim 15 further comprising 
means for receiving diagnostic information generated by 

said network service; 
means for responding to said diagnostic information 
based on the type of diagnostic message contained 
within said diagnostic information and content of said 
diagnostic message; and 
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means for transmitting a command to a user interface on 
said computer coupled to said first network in response 
to a p re-determined type of diagnostic message. 

17. The system of claim 15 wherein said service request 
is input to a user interface on said computer coupled to said 
first network. 

18. The system of claim 15 wherein said input request is 
generated by a remote process executed on a remote man- 
agement server coupled to said system through said second 
network. 

19. The system of claim 15 further comprising push- 
button means for resetting said system, said push-button 
means accessing a first reset state and a second reset state, 
and wherein 

said first reset state causes the execution of a diagnostic 
program by said system, said first reset state being 
accessed by depressing said push-button means for a 
first duration; and 

said second reset state causes a restart of said system, said 
second reset state being accessed by depressing said 
push-button means for a second duration. 

20. An article of manufacture embodying a program of 
instructions executable by a machine for securely providing 
a service to a client computer coupled to a first network, the 
program of instructions including instructions for 

providing said service in a network interface device 
coupled between said first network and a second net- 
work; 

providing a service request from said client computer to 
said network interface device, said service request 
capable of altering said service in said network inter- 
face device; 

transmitting said service request to a configuration 
manager, said configuration manager configured to 
provide an application program interface between a 
user interface on said client computer and said service; 
and 

transmitting said service request from said configuration 
manager to a service manager, said service manager 
being configured to provide an application program 
interface between said configuration manager and said 
service. 

21. An article of manufacture according to claim 20, 
wherein said program of instructions further includes 
instructions for: 

receiving one or more diagnostic messages from said 
network service in a diagnostic log process; 

transmitting said one or more diagnostic messages to one 
or more diagnostic agents, each diagnostic agent being 
configured to automatically receive diagnostic mes- 
sages from said diagnostic log process, and each diag- 
nostic agent being configured to receive a predeter- 
mined type of message from said diagnostic log 
process; 

transmitting one or more reporting messages from said 
one or more diagnostic log agents to a reporting 
process, said reporting process being configured to 
receive reporting messages from said one or more 
diagnostic agents; and 

transmitting commands from said reporting process to a 
user interface on said client computer based on said 
reporting messages. 

***** 
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